Can someone help me?! FML…

Rumours of new iPhone in June 2010? True? HTC HD2 looks great!

http://مثال.إختبار
http://例子.测试
http://例子.測試
http://παράδειγμα.δοκιμή
http://उदाहरण.परीक्षा
http://例え.テスト
http://실례.테스트
http://مثال.آزمایشی
http://пример.испытание
http://உதாரணம்.பரிட்சை
http://בײַשפּיל.טעסט

Cool rite? Seems like now got such unicode domain name, but what happens in the background is that it is converted into an ASCII string that looks like http://xn--oaoughou, the key here is the xn-- and after that is a unique ASCII string that is mapped to the unicode domain name. Juz like DNS mapping of IP address to ASCII string, now is Unicode -> ASCII -> IP.

Nice!

Is it possible to do a MITM, detect for say an installer download or Windows Update for hotfix or update exe, then on-the-fly attach something at the end of the exe, or better still repack the whole exe into 2 exe to be dropped?

WIth something like Paros Proxy or even tcpdump sourcecode, it is possible right? I’ve never tried this b4 so things like is there a TCP checksum? What about reporting filesize, will the browser be confused? I’ve seen browser download file where the filesize is unknown but it still know when to complete the download. Damn I need to know more about TCP/IP and HTTP

With a proxy or even a wifi access point, it should be I think easy to intercept a webpage, then modify the content and return to browser, but file download then repack the file is I think a much trickier problem.

Something worth exploring

I managed to get the java pack only last week so still running thru the code but it old news to others already. The tech websites already talked about it, seems is demo/early version with alot of loophole or features missing. You can read this PDF for a overview.

The key points I extract out for your easy reading! Very interesting and sad… battery drain LOL! I wonder the mobile data bill got can refund anot…

OBSERVATIONS
There are several anomalies in the application that lead to the conclusion that it was either not the version intended for deployment; it was mistakenly rolled out or it was an early release that was being tested.
The reasons for such a conclusion can be argued as:
(1) No capability for intercepting incoming messages.
(2) No possibility of silently updating the application with newer releases.
(3) Lack of comprehensive interception capabilities. Only outgoing email messages.
(4) Several segments of unused source code and references that have been hardcoded into the application. Further observations have been listed below.

Disabled Email Control Channel
The email based control channel to send commands to the application is disabled. On further analysis, why it was disabled became clear. When the service-provider sends an email message to activate the application, a copy of this control email would also be delivered to the recipient’s email server. Thus the user would be alerted to possible suspicious activity.

Control Channel Messages
Control channel commands are momentarily visible when they are received. Thus a user who happens to be looking at his handheld screen would see a message appear for a fraction of a second and then instantly disappear. This behavior was observed on a BlackBerry handheld but was not apparent on the BlackBerry handheld simulator.

Hardcoded References
A standard program that is redistributed will usually have some sort of constants or configuration file. The Interceptor application did contain such a file, however the configuration parameters from the file were not used in the execution of the program. Instead, there were hardcoded references that were used. This is what lead to the conclusion that this version of the application was either a early testing version that was mistakenly deployed or it was a badly modified version of an original file.

Battery Drain
The application implements a watcher on all the handheld message folders. This watcher triggers other components whenever a message is received. Despite this, the application polls a function to check if a new message has been received. This constant polling uses processing cycles and thus increases
power consumption. It is very likely that less powerful processors may overheat due to the increased processing activity. This is bad programming practice, especially for handheld devices. It was also the reason users were made suspicious of the program.

Heartbeat
Every hour, each handheld will report its status and version information to the central server. This happens regardless of application is installed on the handheld and is named whether the application is intercepting messages or not.

Encryption
The Interceptor application makes use of encryption when sending intercepted messages or receiving control commands. It does this by encrypting outgoing messages using AES. The keys are hardcoded into the application. For incoming control commands, the messages are decrypted using the device PIN as the decryption key. The encryption type is still AES.

The 2^nd All ‘Bout Security& Connectivity Seminar is here again in Temasek Polytechnic! This seminar provides a knowledge-sharing platform for IT Security, Network Professionals and students.

The seminar includes talks on IT security and connectivity and a Web Challenge (supported by HITB), which is open to public. The aim of the challenge is to test the contestants on various web penetration techniques.

What’s on in 2010?

This year, the All Bout Security Seminar (5 March 2010) will include an additional seminar series on Connectivity, as well as a Web Challenge (supported by HITB).

Event Details:
Date: March 05 2010
Venue: Temasek Polytechnic Auditorium 1
Time: 12pm – 6pm
Programme List: All ‘Bout Security & Connectivity Seminar:

Programme List: Web Challenge (Supported by HITB)
10:00am – 11:00am – Briefing
11:00am – 1:30pm – Play Time
1:30pm – 3:00pm – Lunch & Break
3:00pm – 5:30pm – Challenge Rounds
5:30pm – 6:00pm – Computation of Results
6:00pm – 6:15pm – Announcement of results & Prize Presentation

Web Challenge Details:
Date: March 05 2010
Venue: Temasek Polytechnic Foyer area outside Auditorium
Time: 10am – 6pm
About
The Web Challenge will be organized by the Diploma in Cyber & Digital Security and supported by Hack In The Box (HITB). The Web Challenge aims to be a platform for all to showcase their web penetration testing skills against corporate emulated websites.
Competition Structure
Each participant has a maximum of 20 minutes to complete 4 out of 10 challenges. Upon completion of each level, a separate scoring mechanism will assign the participants a score based on a time-mission scheme (i.e. the faster you complete the levels, the higher your score will be). The challenges will test the contestants on various web penetration techniques including XSS, SQL Injection, Remote File Inclusion, etc.
Who can participate?
This competition will be open to the public.
Prizes
1st – iPod Touch 8GB & Free seat to HITBSecConf2010 – Malaysia (October 2010)
2nd – iPod Shuffle 4GB & Free seat to HITBSecConf2010 – Malaysia (October 2010)
3rd – Free seat to HITBSecConf2010 – Malaysia (October 2010)

The MIME types dunno what corrupted or what, but it is failing to render x-http-php file headers so browser not only dun understand the returned data, but server dun render the file content or recognise it.

So when server dun render a file especially scripted code, what happens? The server RETURNED THE ENTIRE FILE!

Ya, and since the site run WordPress, you hit wp-config.php and it return the whole file with DB username and password.

Super. Can access phpmyadmin WTF… and if UN/PW same, can also access email, cpanel login, ftp, etc etc.

The first is packing using Resource Files, one of the easier ways to do so. In VC++ u can create/import resource files to your VC++ project. That is the easy part. The next part is slightly trickier, u need to extract the resource into a file on the system then somehow execute it. To do that you run the following calls:

hRes = FindResource(…);
hResLoad = LoadResource(…, hRes);
hFile = CreateFile(…);
WriteFile (hFile, …);

With the file created you just do WinExec or something else =)

The 2nd method is similar, but not using Resource Files which can be easy to detect. It requires more work on your part. Basically you need a 2nd program to convert binary data into a string format which you can copy and paste into your VC++ code as a array or string variable. I don’t post code on this cuz there are many ways, eg read 1024 bytes, B64 it, print to output file, or convert to binary-coded string, then B64 it, etc. Bottom line is, convert the binary data to the string. Then your code just reverse it. One note, make sure to strip any trailing padding that some convertor code might add eg B64 likes to add “==” at the end of strings that are too short. Shell code makes use of this technique to hide assembly calls in code.

The 3rd and 4th way are just using existing tools. One way is to use InstallShield. Yes, InstallShield. It gives you a very nice GUI to add files, even to execute which file after unpacking. What you need tho is a original package that used InstallShield, then rebuild the package yourself, except you add in your own files. Simple right?

The 4th way is like the 3rd way, but you might not have InstallShield, cuz later version of VC++ dun have InstallShield free. But you have WinZip, 7-Zip, WinRAR rite? All of them have the ability to create self-extracting archives or SFX. What this SFX is is that it embed the unarchiver program to the SFX then treats the SFX exe as a archive file eg ZIP. A SFX exe you can still open using the archiver tool so it’s not ideal, eg if you created the SFX using WinZip you can open the SFX exe in WinZip and see the contents. Which is still not too bad if you had the original SFX and just re-SFXed it.

You can combine the 1st/2nd techniques with the 3rd/4th techniques, but you need to know how to use ResHacker or a similar tool. The neat thing about 3rd/4th techniques is that with social engineering it might work better since your victim might think since it came from InstallShield or WinZip it is safe =)

There are more advanced techniques eg unpack direct to memory, or using eggdrop instead of unpacking, but I won’t discuss them today =)

Naturally I tried out a POC code (Joomla password reset exploit), let’s call it pen-testing =) it didn’t work that means the site isn’t running Joomla 1.5.5 or older. The JoomScan app also caught my attention, a Nessus type tool for Joomla and the skids out there. Like Nessus it scans for known exploits and warns u.

Of cuz for the 6 exploits posted, all of them are supposed to be 0-day. Are we worried yet? =)

So what’s new about Windows 7? I finally tried it, and guess what, other than the nice GUI, NOTHING MUCH HAS CHANGED!

I tried my self-written trojan on Windows 7, yep, it works. This means the Win2K to XP to Vista to Windows 7 base API and DLL strucuture remains nearly the same if not identical.

Welcome to Windows 7! +)